Abstract
An analysis of the policy, research and historical documents was performed to better understand the regulatory context within which the Japanese government has come to address the social control of human genome research and the measures it has taken, with regard to the handling of personal data, an area where innovations in the life sciences and in information and communication technology overlap. Our study revealed a shift in policy over time from a rigid to a more collaborative approach to regulation. From the 1980s to the 2000s, security control measures were developed to prevent leakage of personal data to external entities, using methods such as anonymisation, which can be applied in a linkable or unlinkable fashion. However, by the 2010s, de-identification measures have been introduced. They make it possible to utilise personal data that is de-identified (not completely, but specific individuals cannot be easily identified) in certain types of genomic research. This also involved the establishment of an independent data protection authority that controls the utilisation of data in collaboration with other stakeholders. Through this process, bioethics policy has become an established science and technology policy in Japan; and in recent years, bioethics policy has also gained relevance in areas outside the life sciences.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
Introduction
With the advent of genomic medicine, countries around the world have stepped up efforts to develop science and technology policies that will facilitate the active use of personal genetic information to advance this emerging capability (Manolio et al. 2015). In Japan as well, two government agencies, the ‘Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society’ (hereafter, the IT Strategic Headquarters) and the ‘Headquarters for Healthcare Policy’, have hammered out a bioethics policy on the provision of genomic information to a third party, in mutual cooperation in 2014 (Headquarters for Healthcare Policy 2014; IT Strategic Headquarters 2014b). The former requires that genomic information is processed to contain less identifiable ‘personal data’ (i.e. any information relating to an identified or identifiable natural person) before it can be used in biomedical research, while the latter requires broad consent before such information can be used. Since the beginning of the twenty-first century, this development reflects the broader context in which rapid progress and innovation have occurred in information and communication technology (ICT) and in the life sciences, and also where the two overlap (Minari et al. 2014; OECD 2016).
In recent years, the public policy field has accumulated several comparative analyses of self-regulation of these technologies, mainly in the field of ICT, in relation to the United States of America (US) and the European Union (EU) (Balleisen and Eisner 2009; Brown and Marsden 2013; European Parliament, European Council and European Commission 2003; Newman and Bach 2004). While both jurisdictions have developed regulatory frameworks that involve, to a certain extent, an element of stakeholder participation in the establishment of regulations, the level of governmental intervention is lower in the US and higher in the EU. The former has adopted an approach of ‘legalistic self-regulation’, in which the government imposes controls with legal force over industry self-management, while the latter has adopted ‘coordinated self-regulation’, in which the government makes adjustments and manages in collaboration with the industry.
However, it has not been sufficiently clarified as to how policies regarding genomic medicine—on common ground between the fields of the life sciences and ICT—can be understood in terms of the above-mentioned frameworks, which is primarily focused on the current state of ICT. Therefore, a framework that facilitates collaborative support among stakeholders, including government, industry and researchers, to promote innovation related to this type of biomedicine has almost never been discussed. The complexity of ethical, legal and social implications (ELSI) surrounding the life sciences has been considered to be one of the main reasons why it has been difficult to take appropriate regulatory measures in Japan (Akabayashi 2009) and elsewhere (Fox and Swazey 2008; Marsden 2011; O’Neill 2002).
This paper focuses on the process through which the handling of personal data in the life sciences and ICT in Japan has become intertwined, and how the Japanese government has come to shape the regulatory control of human genome research. Part of the goal will be to help effect a change in the conventional perspective (which relies on comparison of regulations of ICT in the US and the EU). At the same time, the paper will look at precisely how control of personal data has come to be included in the framework of bioethics policy in Japan.
Policy Analysis
In providing a historical background to how human genome research has been regulated in Japan, a focus is placed on the regulation of the use of personal data in biomedical research. Analysis of relevant policy documents reveals two publications by the Organisation for Economic Co-operation and Development (OECD) that have been crucial to personal data policy formation in Japan: the 1980 “Recommendation of the Council Concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data” (hereafter, the “OECD Privacy Guidelines”) and the 2007 “Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy”. These two publications have been pivotal to the extent that they divide personal data policy formation in Japan into two periods: a ‘formulation period’ (1980–2007), during which policies emphasising personal data protection were formed based on security control measures, and a ‘development period’ (2007–2017), during which policies promoting the distribution of personal data were formed based on de-identification measures.
The Formulation Period (1980–2007)
From the early 1980s, regulations pertaining to ICT required implementation of security control measures when personal data was handled. Then, in the late 1990s, the concept of anonymisation of genetic information, in either a linkable or an unlinkable fashion, became a core feature of regulation in the life sciences. By the early 2000s, both security control measures and anonymisation have been incorporated into general science and technology policies in Japan from discourses on bioethics. This section will expand on each of these phases (see Table 1 for a summary of key policy documents from 1980 to 2007).
In this paper, ‘security control measures’ refer to methods implemented to prevent leakage, loss and/or damage of personal data. In 1980, the OECD issued the “OECD Privacy Guidelines”, which endorsed the following eight basic principles for member states to apply domestically in order to protect the privacy of personal data provided to a third party (OECD 1980): (1) Collection Limitation Principle, (2) Data Quality Principle, (3) Purpose Specification Principle, (4) Use Limitation Principle, (5) Security Safeguard Principle, (6) Openness Principle, (7) Individual Participation Principle and (8) Accountability Principle. The fifth principle (the Security Safeguard Principle) laid out the importance of security control measures to protect personal data against such ‘risks as loss or unauthorised access, destruction, use, modification or disclosure of data’.
In Japan, a legislative process responding to these OECD recommendations gained momentum in 1995, when “Directive 95/46/EC on the Protection of Individuals with Regard to the Processing and Free Movement of Such Data” (European Parliament and European Council 1995) was established in the EU, calling for the development of domestic laws to protect personal data in each member state. The IT Strategy Headquarters, which was established by the Cabinet in 2000, issued “Policy Outline Regarding the Basic Legislation for the Protection of Personal Information” that same year, summarising the eight principles of the “OECD Privacy Guidelines” into five overarching principles for the protection of personal data in Japan (limitation by intended use, acquisition by an appropriate method, ensuring the accuracy of content, implementation of security measures and ensuring transparency) (IT Strategy Headquarters 2000). However, this policy outline did not mention respect for the consent of data providers, the first of the eight principles (the Collection Limitation Principle).
In the meantime, the life sciences started applying anonymisation methods in the 1990s which rendered personal data either linkable or unlinkable. The General Conference of the United Nations Educational, Scientific and Cultural Organisation (UNESCO) announced the “Universal Declaration on the Human Genome and Human Rights” in 1997, which called for action to ensure that users of genetic information linked to identifiable individuals secure the confidentiality of such data (UNESCO 1997). As a more concrete measure, the Bioethics Committee of the Council for Science and Technology (CST) in Japan (currently, the Expert Panel on Bioethics, Council for Science, Technology and Innovation (CSTI)) issued a policy document entitled “Fundamental Principles of Research on the Human Genome” in 2000, urging the establishment of separate ethical guidelines and the inclusion of a requirement for anonymisation of genetic information (CST 2000). In response, the national Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW) and the Ministry of Economy, Trade and Industry (METI) jointly produced the first edition of the “Ethics Guidelines for Human Genome/Gene Analysis Research” (hereafter, the “Ethics Guidelines”) in 2001, thereby establishing two anonymisation methods that render genetic information linkable or unlinkable (MEXT, MHLW and METI 2001, 38):
-
a.
Anonymisation in a Linkable Fashion, whereby the genetic data and the identity information are separated and an individual can still be identified, if necessary, through a symbol or code that links the information on both documents.
-
b.
Anonymisation in an Unlinkable Fashion, whereby the identity information is simply removed and an individual cannot be identified anymore.
The three ministries set ‘anonymisation in an unlinkable fashion’ as the default standard; exceptions are only permitted with approval from the relevant research ethics committee(s) and with informed consent from the donor.
Bioethics policy based on these basic principles and guidelines was incorporated into the “2nd Science and Technology Basic Plan (2001–2005)”, formulated in 2001 by the Council for Science and Technology Policy (CSTP, the successor to the CST and predecessor to the current CSTI), which was reorganised in the same year, as follows (CSTP 2001, 41):
Patient’s human rights have to be respected such as through informed consent for the autonomy, and individual privacy, [which] have to be protected. … Bioethics issues have to be discussed as a problem for all of Japan. In the future, it is foreseen that S & T [Science and Technology], especially life sciences and IT, will advance much further and will affect people and society. Accordingly, it is indispensable to form a social consensus on bioethics and to make rules for life science research studies from bioethical aspects.
Given the impact of advancements in science and technology on society and individuals, this plan recommends that efforts be made to protect the privacy and human rights of patients who provide genetic information, from a bioethical standpoint.
The Japanese National Diet, in accordance with the IT Strategy Headquarters policy outline, established the “Act on the Protection of Personal Information” (first edition) (National Diet 2003). In response, the three ministries (MEXT, MHLW and METI) issued a second edition of the “Ethics Guidelines” in 2004, adding to the original version a provision that facilities conform to the following four kinds of security control measures when handling personal data, while also maintaining the existing anonymisation system for genetic information (MEXT, MHLW and METI 2004, 6–7, translated from the Japanese):
-
1.
Systematic—establishing rules and procedures for safety management;
-
2.
Human—educating researchers and others on the appropriate handling of personal data;
-
3.
Physical—managing areas that handle personal data; and
-
4.
Technological—controlling access to information systems.
The anonymisation categories and security control measures remained the same through subsequent revisions (MEXT, MHLW and METI 2008, 2014).
The Development Period (2007–2017)
In the late 2000s, regulations on ICT started to require the involvement of an independent, third-party data protection authority to support the distribution of personal data, alongside protections under the initiative of international organisations. From the early 2010s, related domestic policy plans to promote the use of personal data through de-identification measures—meaning methods of processing personal data so that individuals cannot be identified and the original data with personal information are difficult to restore—were proposed in Japan. Both these elements became part of regulation on the handling of personal information in the life sciences by the late 2010s, leading to the abolishment of the anonymisation categories (of linked and unlinked information) (see Table 2 for summary of critical policy documents from 2007 to 2017).
De-identification continued to be a policy focus in ICT in the early 2010s, with the third-party authority still seen as a vehicle for promoting personal data distribution. The OECD Council published the “Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy” in 2007, proposing the development of a regulatory framework allowing for adequate co-management of activities of organisations even outside national borders by the governments of member states, which would assume full responsibility for the enforcement of privacy protection legislation (OECD 2007). The OECD formulated a revised version of its Privacy Guidelines in 2013; while leaving the eight basic principles untouched (as they had been since 1980), it recommended that each member state establish a privacy enforcement agency to support self-regulation through means such as a code of conduct (OECD 2013). Around the same time, the European Commission published “Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data” (European Commission 2012), calling for a third-party authority to oversee the observance of rules regarding handling of personal data and security control measures set forth by EU member states and international organisations by defining sufficient levels of protection for personal data within and outside the EU (passed by the European Parliament and European Council in 2016). Similar to developments internationally, in Japan, the IT Strategic Headquarters published “Policy Outline of the Institutional Revision for Utilisation of Personal Data” in 2014, which proposed a framework to ensure that the new third-party authority was sufficiently effective to clear the EU standards (IT Strategic Headquarters 2014c). In the same year, the national Ministry of Internal Affairs and Communications (MIC), which has jurisdiction over the handling of personal data in the public sector, announced a similar framework targeting ministries, based on the policy outline of the IT Strategic Headquarters (MIC 2014).
George Shishido, a constitutional scholar at the University of Tokyo and member of the IT Strategic Headquarters and MIC committee, led these deliberations. First, Shishido stated that the new third-party authority should also ensure process-wise a reasonable expectation of the constitutionally recognised right to privacy, based on social ‘trust’ obtained through sufficient dialogue with multi-stakeholders (IT Strategic Headquarters 2013a, 7). He considered it more appropriate to call the framework ‘co-regulation’, since it is intended to facilitate the third-party authority to formulate rules on utilisation of personal data by working with the ministries and private sector, rather than ‘self-regulation’. Such rules may be put into effect by ministries through ordinances, rules and guidelines, or as self-governing principles in the private sector. In the following excerpt, he pointed out that this approach promotes more flexible and private-sector-led self-regulation as well (IT Strategic Headquarters 2014a, 22, translated from the Japanese):
The greatest aspect of co-regulation, which involves public institutions to back up self-regulation, is that areas that have not been covered by ‘vertically divided’ guidelines according to business category or administration could now be regulated centrally under the new third-party authority. Furthermore, in the private sector, the distribution of new information could be handled within the framework of self-regulation, in which a self-regulatory organisation is formed through mutual collaboration. At the same time, multi-stakeholder processes could yield a system where consumer opinions can be drawn up on their own initiative.
In contrast, Ichiro Satoh, a computer scientist at the National Institute of Informatics, supported both deliberations—one targeting the public sector and the other the private sector—from the technical front. Asserting that no anonymisation technique makes re-identification completely impossible, he called for measures to de-identify personal data in a way that would strike a balance between data utilisation and re-identification risk (IT Strategic Headquarters 2013b, 5, translated from the Japanese):
There are different levels of anonymisation; some techniques leave room for possible re-identification, but on the other hand, such data could be difficult to utilise. Since we cannot flatly pick one over the other, we need to think of a broad standard. … Basically, there is no way to anonymise data such that re-identification is 100% impossible. It might be possible to achieve this, if anonymisation is carried out to the extent that data utilisation is completely left out of consideration; however, such data would no longer be usable. I think the issue is the balance.
Satoh created a report to address technical inquiries from the review meeting, in which he recommended de-identification measures that could avoid the risk of personal data being linked back to individuals. Specifically, he raised three points: (1) attributes such as name and date of birth that can be used to directly identify a specific individual must be deleted and/or processed; (2) characteristic combinations of attributes and values should be deleted and/or processed; and (3) all combinations of attributes must be processed so as not to be linkable back to the original personal data. Regarding (3), a representative example was provided with k-anonymisation (a situation in which information for each individual in a data release has similar attributes and thus cannot be distinguished from information of other individuals in the data release; Sweeney 2002). Furthermore, alongside a regulation that forbade data receivers from identifying specific individuals, he proposed a framework allowing original data to be provided to those who wished to obtain them, as an exception, even without the informed consent of the provider (Technical Review Working Group 2014). Moreover, given that there are few precedents worldwide where data—which, as noted, always retains identifiable information regarding specific individuals to a certain degree—have been made available without the consent of data providers (MIC 2014), the most important point is whether individuals will put their trust in this system. Moreover, he stressed the primary importance of regulation ensuring that the recipient of data would not try to identify individuals from the data obtained (IT Strategic Headquarters 2014b, 13).
The National Diet accepted the views of the constitutional scholar and computer scientist described above and passed a second edition of “Act on the Protection of Personal Information”, reflecting these views (National Diet 2015); it provided a framework for use of information subjected to de-identification measures. As for processing method, as in Satoh’s proposal, existing security control measures were put in place as a means to prevent leakage by the information processor of descriptions allowing personal re-identification or of information on the details of the processing method.
A framework to ensure the quality of de-identification measures through support by the third-party authority was also incorporated into the governmental strategy for the promotion of genomic medicine, which was drafted during the same period, leading to revision of “Ethics Guidelines” in accordance with full enforcement of the second edition of “Act on the Protection of Personal Information”. In the late 2010s, application of de-identification measures to methods of anonymising personal data relating to human genome research in these guidelines was adopted by MEXT, MHLW and METI, and with this, the distinction between the two categories of anonymisation (linkable or unlinkable) was eliminated.
The Headquarters for Healthcare Policy, an organisation established in 2012 with a status equivalent to that of the IT Strategic Headquarters under the Cabinet, announced the “Healthcare Policy” in 2014, adopted as a national goal research and development for disease prevention through integration of genome polymorphism information from East Asian populations, including the Japanese. It instructed relevant ministries to revise the “Ethics Guidelines” to allow the development of a system that facilitates effective use of patient-derived samples and clinical information accumulated in biobanks and also of cohorts in human genome research (Headquarters for Healthcare Policy 2014). Moreover, CSTI, which has jurisdiction over general science and technology policy in Japan, published the “5th Science and Technology Basic Plan (2016-2020)” in 2016, urging the development of strategies to increase the validity of “Ethics Guidelines” and foster trust among Japanese people to promote social implementation of science and technology (CSTI 2016).
MEXT, MHLW and METI revised the Ethical Guidelines in conformity with these policies in late 2016 and, the following year, announced the seventh edition of “Ethics Guidelines”. With this revision, intended to align with the second edition of “Act on the Protection of Personal Information”, descriptions of de-identification measures were modified to be adoptable through the review of research protocols by ethics committees; also, the concepts of linkable/unlinkable anonymisation were removed (MEXT, MHLW and METI 2017). However, the security control measures, which had been introduced to these guidelines in 2004, were maintained, in the same context as in the second edition of “Act on the Protection of Personal Information”.
Discussion
Historical Background of the New Regulatory Framework for Human Genome Research in Japan
The adoption of de-identification measures in the new framework represents a shift in the regulatory model from event-centred to process-centred. Until the early 2000s, techniques such as unlinkable anonymisation were adopted to ensure that there would be no ‘event’ leading to external leakage of genetic information or other data identifiable of a single person. However, in the mid-2000s, the popularisation of genome-wide association studies (GWAS) shifted the main research object in the field from single- to multi-factor diseases, and around the same time, the expected role of regulations controlling such studies likely shifted as well: a framework of ‘processes’ supporting the utilisation of related data, including provision of analysis results to study participants themselves, emerged, with linkable anonymisation at its centre.
The first edition of “Ethics Guidelines” in 2001 recommended anonymisation, mainly in the handling of genetic information. However, this recommendation assumed unlinkable anonymisation to be the main viable method and linkable anonymisation as suboptimal. In 2003, when the first edition of “Act on the Protection of Personal Information” was enacted, the above-mentioned guidelines were also subject to “Act”, which called for security control measures, repositioning genetic information as a relatively sensitive type of personal data. Regulation to ensure security control in life sciences research in Japan has been the highest priority, which includes measures to prevent external leakage of recombinant DNA information using two methods—‘Physical Containment’ and ‘Biological Containment’. This led to the Japanese version of the “Recombinant DNA Research Guidelines” in the late 1970s (Hishiyama 2003; Nagai et al. 2009). The information and communications regulatory framework up to the early 2000s thus took shape under an emphasis on ‘hard’ control centred around physical and technical security control measures combined with ‘soft’ management of organisational and personal practices.
Regarding historical conditions that contributed to this major shift toward measures that support distribution of personal data while keeping de-identification at the core, one was the spread of GWAS since the mid-2000s, which led to a paradigm shift in human genome research to focus on the elucidation of the pathological states of multi-factor diseases such as hypertension (Kato et al. 2011) and type II diabetes (Kato 2013), rather than conventional, single-factor diseases. Along with this, ethical norms that control such research also took a new direction in terms of their main role, from implementing security control measures to allowing return of analysis results back to those who provided anonymous but linkable personal medical information, with the overall goal of helping providers maintain their health. The transition to this anonymisation approach, which goes beyond measures for preventing incidents (e.g. data leakage to external entities) and supports distribution of even sensitive genetic information, may have been the historical basis for the rapidity of the development of policies concerning handling of personal data and its application to human genome research in the mid-2010s.
The Evolving Role of a Third-Party Authority
One existing approach to understanding self-regulation incorporates (1) the perspective of support provided by a third-party authority to foster cooperation between the government and the private sector and (2) ‘legalistic self-regulation’ and ‘coordinated self-regulation’, which focus on the extent of government intervention in the private sector.
Previous analyses of regulation that mainly targeted ICT have considered it the most important to determine whether the level of state intervention in the private sector, exercised with legal force, is high or low, with respect to their independent efforts. In this understanding, the level of intervention by the state in the US, for example, is relatively low, under a state of legalistic self-regulation (Balleisen 2010; Balleisen and Eisner 2009; Weiser 2009; Weiser 2010) in which self-regulation in the private sector is monitored by the government. Similarly, it is understood that the level of state intervention under a state of coordinated self-regulation (Collins 2009; Marsden 2011; Hüpkes 2009; Senden 2005), in which the government and the private sector jointly make repeated adjustments, is likely high, as in Europe.
However, in human genome research, where two fields—life sciences and ICT—overlap, personal data possessed by private as well as public institutions such as hospitals and research institutions need to be utilised effectively and collectively to get good findings. From this point of view, the opinion that the handling of personal data should be regarded as co-regulation rather than self-regulation, as suggested by Shishido during the IT Strategic Headquarters review meeting (IT Strategic Headquarters 2014a, 22), is best viewed as a consequence of changes in international regulatory policies (especially OECD and EU policies) in life sciences and ICT that have deeply impacted the regulatory approach in Japan since the late 2000s. This perspective can provide a response to the question of ‘How should self-governance in the public sector be handled?’ for optimal governance in terms of the balance between self-regulation and traditional governmental regulation which has been in place since the 1990s (Christou and Simpson 2009; Kohler-Koch and Eising 1999; Pierre 2000). Potentially, Shishido’s approach could foster partial self-governance in the public sector, by having the third-party authority play a mediatory role to facilitate cooperation through which ideas from the private sector could lead to improved regulations, in addition to solely administering regulatory requirements. This idea could be added to the conventional framework of self-regulation as a step toward developing public-private partnerships for implementation of genomic medicine.
Bioethics Policy in Light of Recent Developments in Science and Public Policy
Bioethics policy that permits the distribution of anonymised data based on the consent of the provider and ethical review board approval has been expanded to subsume first life science regulations in the early 2000s and then ICT regulations from the mid-2010s, without a hard requirement of complete anonymisation.
A framework that allows sensitive information, which could be linked to specific individuals’ information, to be handled without anonymisation was included in life science regulations in the early 2000s for exceptional cases, following the adoption of “Fundamental Principles of Research on the Human Genome” (2000) by the CST Bioethics Committee. It applies only if the study protocol has been approved by the relevant research ethics committee, with the consent of individuals who provided the information themselves. This bioethics policy was retained in “Ethics Guidelines” through all seven revisions up to February 2017. In the meantime, from the early 2010s, the government’s information and communication strategy “Policy Outline of the Institutional Revision for Utilisation of Personal Data”, drafted by the IT Strategic Headquarters (2014), recognised the technical limitations of anonymisation in public policy. This led to a new framework that enabled the proactive distribution of data subjected to de-identification measures for use in academic research with the informed consent of personal data providers. The reason for this is that, as Satoh indicated at the IT Strategic Headquarters review meeting (IT Strategic Headquarters 2013b, 5): ‘there is no way to anonymise data such that re-identification is 100% impossible’; by being aware of this limitation and building it into data usage promotion measures, the main regulatory theme can be said to be ‘how should we suitably handle information from which there is a possibility that individuals can be identified (including information obtained with consent from a data providers)?’ It seems reasonable to recognise this development as a process through which control measures in ICT, which have responded flexibly to rapid changes in society, came to be affected by the demand for a bioethics policy with a specific focus on privacy protection.
In this context, it is important that the third-party authority that mediates provision of processed data garners the trust of personal data providers, enough for them to provide consent. Based on their respective professional insights in institutional and technical realms, Shishido and Satoh, who led the deliberations of the IT Strategic Headquarters and MIC on policies regarding personal data de-identification, suggested a need to foster such a feeling of trust, so that data providers will regard the third-party authority as a guarantee that the provision of information will not lead to identification of specific individuals (IT Strategic Headquarters 2013a, 7, 2014b, 13). To this end, a doctrine that emphasises trust, in addition to the individual autonomy already incorporated as a concept in bioethics, might prove useful. The idea that participants’ individual autonomy should be respected in relation to their participation in biomedical research went into full swing in the 1970s in North America; however, in the 1990s, excessive focus on this notion led to criticism mainly in Europe, and in contraposition, the importance of trust, which needs to be nurtured by each of various stakeholders including physicians and researchers, was highlighted (Fox and Swazey 2008; Jonsen 1998; Stirrat and Gill 2005). This debate, derived from bioethics, has also been relevant in ICT since the 2000s (Collins 2009; O’Neill 2002). From the results of this paper, as long as complete anonymisation is technically impossible, no framework for utilisation can be established unless the trust that data users have for data providers is nurtured and maintained, since the providers insist on a stance of intentionally avoiding anonymisation. Further results from bioethics research could thus help provide a theoretical basis with respect to the question ‘what sort of rules should the recipient of personal data—which have been processed to the extent that individuals cannot be specified fully—abide by in order to ensure a sense of trust in the system?’
Limitations
The main objective of this study was providing a historical perspective on the regulation of human genome research in Japan, with a focus on the ways in which personal data has been handled. Therefore, consideration of “Act on the Protection of Personal Information” and the current “Ethics Guidelines” was limited to aspects directly related to this objective; materials related to policies on medical ICT innovation were treated under similar conditions. Based on the result of this research, the assessment of thought processes behind the current regulations in Japan, including the themes above, could be a next step.
Conclusion
With respect to the historical background of human genome research regulation in Japan, this study found that until the mid-2000s, policies were developed around security control measures based on the distinction between linkable and unlinkable anonymisation in order to prevent personal data from leaking to external entities. Thereafter, these techniques were abolished and personal data de-identification measures were implemented, which made it difficult to identify specific individuals from data. This process also involved a policy transition toward supporting the activities of various stakeholders by establishing an independent data protection authority.
References
Akabayashi, Akira. 2009. Bioethics in Japan, 1980–2009: Importation, development, and the future. Asian Bioethics Review 1 (3): 267–278.
Balleisen, Edward J. 2010. The prospects for effective co-regulation in the United States: A historian’s view from the early twenty-first century. In Government and markets: Toward a new theory of regulation, ed. Edward J. Balleisen and David A. Moss, 443–481. New York: Cambridge University Press.
Balleisen, Edward J., and Marc Eisner. 2009. The promise and pitfalls of co-regulation: How governments can draw on private governance for public purpose. In New perspectives on regulation, ed. David A. Moss and John A. Cisternino, 127–150. Cambridge: Tobin Project.
Bioethics Committee, Council for Science and Technology (CST). 2000. Fundamental principles of research on the human genome. http://www.mext.go.jp/b_menu/shingi/kagaku/rinri/pri00614.pdf.
Brown, Ian, and Christopher T. Marsden. 2013. Regulating code: Good governance and better regulation in the information age. Cambridge: MIT Press.
Christou, George, and Seamus Simpson. 2009. New governance, the internet, and country code top-level domains in Europe. Governance 22 (4): 599–624. https://doi.org/10.1111/j.1468-0491.2009.01455.x.
Collins, Richard. 2009. Trust and trustworthiness in the fourth and fifth estates. International Journal of Communication 3: 61–86.
Council for Science and Technology Policy (CSTP). 2001. The 2nd science and technology basic plan (2001–2005). http://www8.cao.go.jp/cstp/english/basic/2nd-BasicPlan_01-05.pdf.
Council for Science, Technology and Innovation (CSTI). 2016. The 5th science and technology basic plan (2016–2020). http://www8.cao.go.jp/cstp/english/basic/5thbasicplan.pdf.
European Commission. 2012. Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:52012PC0011.
European Parliament, and European Council. 1995. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. http://eur-lex.europa.eu/eli/dir/1995/46/oj.
European Parliament, and European Council. 2016. Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC. http://eur-lex.europa.eu/eli/reg/2016/679/oj.
European Parliament, European Council, and European Commission. 2003. Interinstitutional agreement on better law-making. http://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex:32003Q1231(01).
Fox, Renée C., and Judith P. Swazey. 2008. Observing bioethics. New York: Oxford University Press.
Headquarters for Healthcare Policy. 2014. The Healthcare Policy. http://www.kantei.go.jp/jp/singi/kenkouiryou/en/pdf/policy.pdf.
Hishiyama, Yutaka. 2003. Handbook of bioethics. Tokyo: Tsukiji-Shokan (in Japanese).
Hüpkes, Eva. 2009. Regulation, self-regulation or co-regulation? Journal of Business Law 5: 429–430.
IT Strategy Headquarters. 2000. Policy outline regarding the basic legislation for the protection of personal information. http://www.kantei.go.jp/jp/it/privacy/houseika/taikouan/pdfs/1011taikou.pdf. (in Japanese).
Jonsen, Albert R. 1998. The birth of bioethics. New York: Oxford University Press.
Kato, Norihiro. 2013. Insights into the genetic basis of type 2 diabetes. Journal of Diabetes Investigation 4 (3): 233–244.
Kato, Norihiro, Fumihiko Takeuchi, Yasuharu Tabara, Tanika N. Kelly, Min Jin Go, Xueling Sim, Wan Ting Tay, et al. 2011. Meta-analysis of genome-wide association studies identifies common variants associated with blood pressure variation in East Asians. Nature Genetics 43 (6): 531–538.
Kohler-Koch, Beate, and Rainer Eising. 1999. The transformation of governance in the European Union. Abingdon: Routledge.
Manolio, Teri A., Marc Abramowicz, Fahd Al-Mulla, Warwick Anderson, Rudi Balling, Adam C. Berger, Steven Bleyl, et al. 2015. Global implementation of genomic medicine: We are not alone. Science Translational Medicine 7 (290): 290ps13. https://doi.org/10.1126/scitranslmed.aab0194.
Marsden, Christopher T. 2011. Internet co-regulation: European law, regulatory governance and legitimacy in cyberspace. Cambridge: Cambridge University Press.
Minari, Jusaku, Tetsuya Shirai, and Kazuto Kato. 2014. Ethical considerations of research policy for personal genome analysis: The approach of the Genome Science Project in Japan. Life Sciences, Society and Policy 10: 1–11.
Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW), and Ministry of Economy, Trade and Industry (METI). 2001. Ethics guidelines for human genome/gene analysis research (1st edition). http://www.lifescience.mext.go.jp/files/pdf/40_213.pdf.
Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW), and Ministry of Economy, Trade and Industry (METI). 2004. Ethics guidelines for human genome/gene analysis research (2nd edition). Journal of the Kyorin Medical Society 36 (2): 1–37 https://www.jstage.jst.go.jp/browse/kyorinmed/36/2/_contents. (in Japanese).
Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW), and Ministry of Economy, Trade and Industry (METI) 2008. Ethics guidelines for human genome/gene analysis research (4th edition). http://www.lifescience.mext.go.jp/files/pdf/n796_00.pdf.
Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW), and Ministry of Economy, Trade and Industry (METI) 2014. Ethics guidelines for human genome/gene analysis research (6th edition). http://www.lifescience.mext.go.jp/files/pdf/n1432_01_01.pdf. (in Japanese).
Ministry of Education, Culture, Sports, Science and Technology (MEXT), Ministry of Health, Labour and Welfare (MHLW), and Ministry of Economy, Trade and Industry (METI) 2017. Ethics guidelines for human genome/gene analysis research (7th edition). http://www.lifescience.mext.go.jp/files/pdf/n1859_03r2.pdf. (in Japanese).
Ministry of Internal Affairs and Communications (MIC). 2014. Interim discussion. http://www.soumu.go.jp/main_content/000324058.pdf. (in Japanese).
Nagai, Hiroyuki, Yoshio Nukaga, Koji Saeki, and Akira Akabayashi. 2009. Self-regulation of recombinant DNA technology in Japan in the 1970s. Historia Scientiarum: International Journal of the History of Science Society of Japan 19 (1): 1–18.
National Diet (Japan). 2003. Act on the protection of personal information, Act No. 57 of May 30. http://www.cas.go.jp/jp/seisaku/hourei/data/APPI.pdf.
National Diet (Japan) 2015. Amended act on the protection of personal information, Act No. 65 of September 9. http://www.ppc.go.jp/files/pdf/280222_amendedlaw.pdf.
Newman, Abraham L., and David Bach. 2004. Self-regulatory trajectories in the shadow of public power: Resolving digital dilemmas in Europe and the United States. Governance 17 (3): 387–413. https://doi.org/10.1111/j.0952-1895.2004.00251.x.
O’Neill, Onora. 2002. Autonomy and trust in bioethics. Cambridge: Cambridge University Press.
Organisation for Economic Co‐operation and Development (OECD). 1980. Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: OECD Publishing. https://dx.doi.org/10.1787/9789264196391-en.
Organisation for Economic Co-operation and Development (OECD). 2007. Recommendation on cross-border co-operation in the enforcement of laws protecting privacy. Paris: OECD Publishing. https://www.oecd.org/sti/ieconomy/38770483.pdf.
Organisation for Economic Co-operation and Development (OECD). 2013. Guidelines on the protection of privacy and transborder flows of personal data. Paris: OECD Publishing. https://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf.
Organisation for Economic Co-operation and Development (OECD). 2016. OECD science, technology and innovation outlook 2016. Paris: OECD Publishing. https://dx.doi.org/10.1787/sti_in_outlook-2016-en.
Pierre, Jon, ed. 2000. Debating governance: Authority, steering, and democracy. Oxford: Oxford University Press.
Senden, Linda A. J. 2005. Soft law, self-regulation and co-regulation in European law: Where do they meet? Electronic Journal of Comparative Law 9 (1): 1-27. https://www.ejcl.org/91/art91-3.PDF.
Stirrat, Gordon M., and Robin Gill. 2005. Autonomy in medical ethics after O’Neill. Journal of Medical Ethics 31 (3): 127–130. https://doi.org/10.1136/jme.2004.008292.
Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2013a. Overview of the 1st proceedings. http://www.kantei.go.jp/jp/singi/it2/pd/dai1/gijiyousi.pdf. (in Japanese).
Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2013b. Overview of the 2nd proceedings. http://www.kantei.go.jp/jp/singi/it2/pd/dai2/gijiyousi.pdf. (in Japanese).
Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2014a. Overview of the 10th proceedings. http://www.kantei.go.jp/jp/singi/it2/pd/dai10/gijiyousi.pdf. (in Japanese).
Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2014b. Overview of the 11th proceedings. http://www.kantei.go.jp/jp/singi/it2/pd/dai11/gijiyousi.pdf. (in Japanese).
Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2014c. Policy outline of the institutional revision for utilisation of personal data. http://japan.kantei.go.jp/policy/it/20140715_2.pdf.
Sweeney, Latanya. 2002. K-anonymity: A model for protecting privacy. International Journal of Uncertainty, Fuzziness and Knowledge-Based Systems 10 (5): 557–570. https://doi.org/10.1142/S0218488502001648.
Technical Review Working Group, Strategic Headquarters for the Promotion of an Advanced Information and Telecommunications Network Society (IT Strategic Headquarters). 2014. Technical Review Working Group report: Consideration of “Quasi-Personal Information (Tentative Title)” and “Data with Reduced Personal Identification (Tentative Title)” from the technical point of view. http://www.kantei.go.jp/jp/singi/it2/pd/dai10/siryou1-2.pdf. (in Japanese).
United Nations Educational, Scientific and Cultural Organisation (UNESCO). 1997. Universal declaration on the human genome and human rights. http://unesdoc.unesco.org/images/0012/001229/122990eo.pdf.
Weiser, Philip J. 2009. The future of Internet regulation. UC Davis Law Review 43: 529–590. https://doi.org/10.2139/ssrn.1344757.
Weiser, Philip J. 2010. Towards an international dialogue on the institutional side of antitrust. NYU Annual Survey of American Law 66: 445–458.
Acknowledgements
I gratefully acknowledge the many helpful comments and suggestions that I received from Ms Suzuka Sakashita (Cabinet Secretariat, Government of Japan).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Nagai, H. Development of Personal Data Handling Policy in Human Genome Research: a Historical Perspective in Japan. ABR 9, 183–197 (2017). https://doi.org/10.1007/s41649-017-0022-z
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41649-017-0022-z